samba - Feb 2019 - Computer Management - Share Security - No Read Access

On Thu, 21 Feb 2019 11:12:05 -0500
Marco Shmerykowsky <marco at sce-engineers.com> wrote:
> 
> On 2019-02-21 10:57 am, Rowland Penny via samba wrote:
> > On Thu, 21 Feb 2019 10:39:47 -0500
> > Marco Shmerykowsky <marco at sce-engineers.com> wrote:
> > 
> >> 
> >> On 2019-02-20 7:12 am, Rowland Penny wrote:
> >> > On Wed, 20 Feb 2019 11:02:55 +0000
> >> > Rowland Penny via samba <samba at lists.samba.org>
wrote:
> >> >
> >> >> On Tue, 19 Feb 2019 22:05:12 +0000
> >> >> Rowland Penny via samba <samba at lists.samba.org>
wrote:
> >> >>
> >> >> > OK, it is late here, but just in case something has
changed, I
> >> >> > will set up a new Debian 9 VM tommorrow, install the
distro
> >> >> > Samba Packages and follow the Samba wiki page.
> >> >> >
> >> >> > Can you confirm that you are using Samba from Debian
9.
> >> >> > You seem to be using '/server' as the shared
directory, is
> >> >> > this correct ?
> >> >> > What Windows version are you using ? (I know you may
have
> >> >> > already said, but it saves me looking it up)
> >> >> >
> >> >> > Rowland
> >> >> >
> >> >>
> >> >> OK, it (as I expected) works, I will clean up my notes
and send
> >> >> the OP a copy.
> >> >>
> >> >> Rowland
> >> 
> >> Sorry to be a pain on this, but something just refuses to work
> >> as I would expect.  I've tried the following:
> >> 
> >> 1) remove the share definition from smb.conf
> >> 2) Restart smbd
> >> 3) Remove (delete) the share directory from Linux
> >> 4) Check "Computer Management" on windows - Share is
Gone
> >> 5) mkdir -p /server/share-files
> >> 6) chown root:"Domain Admins" /server/share-files
> >> 7) chmod 0770 /server/share-files
> >> 8) getfacl /server/share-files
> >>     -> permissions match 0770
> >> 8) Restore (un-comment) share definition in smb.conf
> >>     -> [share-files]
> >>     ->     path = /server/share-files
> >>     ->     read only = no
> >> 9) smbcontrol all reload-config
> >> 10) restart smbd
> > 
> > If you do '9', you don't need to do '10'
> 
> Expect both would achieve same.  Figured it wouldn't hurt.
Well yes, it doesn't hurt, you just don't need to do both ;-)
> 
> > 
> >> 11) Go into "Computer Management" on windows & get
to
> >>      "Shares" on machine253
> >> 
> >> Here is what I find odd.  The "Share permissions" tab
lists
> >> one of the groups I previously defined.  It is not a windows
> >> "built-in" group.  I created it using samba-tool on the
AD.
> > 
> > Ignore the 'shares' tab, just use the 'security' tab,
for which a
> > better name would be 'NTFS permissions'
> > 
> >> 
> >> If I removed the share and then recreated it, I would expect
> >> a 'default' listing of groups.  Instead I seem to be
getting a
> >> previous "historical" group listing if I reuse the same
> >> share names or directory names.
> >> 
> >> Two more things:
> >> 
> >> After all of this clicking and changing, I do not get the
> >> '+' on the directory permissions.  It still reads as a
> >> basic 0770.  It seems having this in the share is critical
> >> to normal behavior.  At least once that appeared on my
> >> other server - those shares started exhibiting normal
> >> behavior.
> >> 
> >> Second, I've discovered that if I add the "Everyone"
group
> >> to the "Share Permissions" then suddenly I can modify
> >> the Security tab.  If I remove the "Everyone group" then
> >> it eventually reverts to giving me the following error:
> > 
> > As I said above, ignore the 'Share' tab, leave
'Everyone' there.
> > I go now to update the wiki page (again).
I have updated the wiki page.
> 
> Just discovered that although I can access "Security" (ie NTFS 
> Permissions)
> I get "Failed to enumerate objects in the containet. Access is
denied"
> when I attempt to apply the changes.
> 
If you followed document I sent you, it should work, but it looks like
you are not following it fully, I never mentioned the 'Share
Permissions' tab.

Rowland

On 2019-02-21 11:30 am, Rowland Penny via samba wrote:
> On Thu, 21 Feb 2019 11:12:05 -0500
> Marco Shmerykowsky <marco at sce-engineers.com> wrote:
> 
>> 
>> On 2019-02-21 10:57 am, Rowland Penny via samba wrote:
>> > On Thu, 21 Feb 2019 10:39:47 -0500
>> > Marco Shmerykowsky <marco at sce-engineers.com> wrote:
>> >
>> >>
>> >> On 2019-02-20 7:12 am, Rowland Penny wrote:
>> >> > On Wed, 20 Feb 2019 11:02:55 +0000
>> >> > Rowland Penny via samba <samba at lists.samba.org>
wrote:
>> >> >
>> >> >> On Tue, 19 Feb 2019 22:05:12 +0000
>> >> >> Rowland Penny via samba <samba at
lists.samba.org> wrote:
>> >> >>
>> >> >> > OK, it is late here, but just in case something
has changed, I
>> >> >> > will set up a new Debian 9 VM tommorrow, install
the distro
>> >> >> > Samba Packages and follow the Samba wiki page.
>> >> >> >
>> >> >> > Can you confirm that you are using Samba from
Debian 9.
>> >> >> > You seem to be using '/server' as the
shared directory, is
>> >> >> > this correct ?
>> >> >> > What Windows version are you using ? (I know you
may have
>> >> >> > already said, but it saves me looking it up)
>> >> >> >
>> >> >> > Rowland
>> >> >> >
>> >> >>
>> >> >> OK, it (as I expected) works, I will clean up my
notes and send
>> >> >> the OP a copy.
>> >> >>
>> >> >> Rowland
>> >>
>> >> Sorry to be a pain on this, but something just refuses to work
>> >> as I would expect.  I've tried the following:
>> >>
>> >> 1) remove the share definition from smb.conf
>> >> 2) Restart smbd
>> >> 3) Remove (delete) the share directory from Linux
>> >> 4) Check "Computer Management" on windows - Share is
Gone
>> >> 5) mkdir -p /server/share-files
>> >> 6) chown root:"Domain Admins" /server/share-files
>> >> 7) chmod 0770 /server/share-files
>> >> 8) getfacl /server/share-files
>> >>     -> permissions match 0770
>> >> 8) Restore (un-comment) share definition in smb.conf
>> >>     -> [share-files]
>> >>     ->     path = /server/share-files
>> >>     ->     read only = no
>> >> 9) smbcontrol all reload-config
>> >> 10) restart smbd
>> >
>> > If you do '9', you don't need to do '10'
>> 
>> Expect both would achieve same.  Figured it wouldn't hurt.
> 
> Well yes, it doesn't hurt, you just don't need to do both ;-)
> 
>> 
>> >
>> >> 11) Go into "Computer Management" on windows &
get to
>> >>      "Shares" on machine253
>> >>
>> >> Here is what I find odd.  The "Share permissions"
tab lists
>> >> one of the groups I previously defined.  It is not a windows
>> >> "built-in" group.  I created it using samba-tool on
the AD.
>> >
>> > Ignore the 'shares' tab, just use the 'security'
tab, for which a
>> > better name would be 'NTFS permissions'
>> >
>> >>
>> >> If I removed the share and then recreated it, I would expect
>> >> a 'default' listing of groups.  Instead I seem to be
getting a
>> >> previous "historical" group listing if I reuse the
same
>> >> share names or directory names.
>> >>
>> >> Two more things:
>> >>
>> >> After all of this clicking and changing, I do not get the
>> >> '+' on the directory permissions.  It still reads as a
>> >> basic 0770.  It seems having this in the share is critical
>> >> to normal behavior.  At least once that appeared on my
>> >> other server - those shares started exhibiting normal
>> >> behavior.
>> >>
>> >> Second, I've discovered that if I add the
"Everyone" group
>> >> to the "Share Permissions" then suddenly I can
modify
>> >> the Security tab.  If I remove the "Everyone group"
then
>> >> it eventually reverts to giving me the following error:
>> >
>> > As I said above, ignore the 'Share' tab, leave
'Everyone' there.
>> > I go now to update the wiki page (again).
> 
> I have updated the wiki page.
> 
>> 
>> Just discovered that although I can access "Security" (ie
NTFS
>> Permissions)
>> I get "Failed to enumerate objects in the containet. Access is
denied"
>> when I attempt to apply the changes.
>> 
> 
> If you followed document I sent you, it should work, but it looks like
> you are not following it fully, I never mentioned the 'Share
> Permissions' tab.
The "Share Permissions" was on the wiki.

With respect to your document, I'm following it to the letter.
Can't see anything I missed:

root at sce253:/# service smbd stop
root at sce253:/# rmdir /server/share-files
root at sce253:/# rmdir /server/users
root at sce253:/# cd ..
root at sce253:/# rmdir server
root at sce253:/# mkdir -p /server/share-files
root at sce253:/# mkdir -p /server/users
root at sce253:/# chown root:"Domain Admins" /server/share-files
root at sce253:/# chown root:"Domain Admins" /server/users
root at sce253:/# chmod 0770 /server/share-files
root at sce253:/# chmod 0770 /server/users
root at sce253:/# ls -l /server
total 8
drwxrwx--- 2 root domain admins 4096 Feb 21 12:00 share-files
drwxrwx--- 2 root domain admins 4096 Feb 21 12:00 users
root at sce253:/# getfacl /server/share-files
getfacl: Removing leading '/' from absolute path names
# file: server/share-files
# owner: root
# group: domain\040admins
user::rwx
group::rwx
other::---

root at sce253:/# getfacl /server/users
getfacl: Removing leading '/' from absolute path names
# file: server/users
# owner: root
# group: domain\040admins
user::rwx
group::rwx
other::---

root at sce253:/# service smbd start

** Computer Management -> Connect to other computer
** Click thru connection warning
** Open Shared Folders
** right click "shared-files" & select properties
** Select Security Tab
** Hit 'ADD' and find and add 'programs' group. (Completes)
** Grant Full Control
** Hit OK
** Click "Yes" to remotely reset permissions

******* FAILED TO ENUMERATE OBJECTS IN CONTAINER. ACCESS IS DENIED

Can't see where I could be deviating

On 2019-02-21 12:11 pm, Marco Shmerykowsky via samba
wrote:
> On 2019-02-21 11:30 am, Rowland Penny via samba wrote:
>> On Thu, 21 Feb 2019 11:12:05 -0500
>> Marco Shmerykowsky <marco at sce-engineers.com> wrote:
>> 
>>> 
>>> On 2019-02-21 10:57 am, Rowland Penny via samba wrote:
>>> > On Thu, 21 Feb 2019 10:39:47 -0500
>>> > Marco Shmerykowsky <marco at sce-engineers.com> wrote:
>>> >
>>> >>
>>> >> On 2019-02-20 7:12 am, Rowland Penny wrote:
>>> >> > On Wed, 20 Feb 2019 11:02:55 +0000
>>> >> > Rowland Penny via samba <samba at
lists.samba.org> wrote:
>>> >> >
>>> >> >> On Tue, 19 Feb 2019 22:05:12 +0000
>>> >> >> Rowland Penny via samba <samba at
lists.samba.org> wrote:
>>> >> >>
>>> >> >> > OK, it is late here, but just in case
something has changed, I
>>> >> >> > will set up a new Debian 9 VM tommorrow,
install the distro
>>> >> >> > Samba Packages and follow the Samba wiki
page.
>>> >> >> >
>>> >> >> > Can you confirm that you are using Samba
from Debian 9.
>>> >> >> > You seem to be using '/server' as
the shared directory, is
>>> >> >> > this correct ?
>>> >> >> > What Windows version are you using ? (I know
you may have
>>> >> >> > already said, but it saves me looking it up)
>>> >> >> >
>>> >> >> > Rowland
>>> >> >> >
>>> >> >>
>>> >> >> OK, it (as I expected) works, I will clean up my
notes and send
>>> >> >> the OP a copy.
>>> >> >>
>>> >> >> Rowland
>>> >>
>>> >> Sorry to be a pain on this, but something just refuses to
work
>>> >> as I would expect.  I've tried the following:
>>> >>
>>> >> 1) remove the share definition from smb.conf
>>> >> 2) Restart smbd
>>> >> 3) Remove (delete) the share directory from Linux
>>> >> 4) Check "Computer Management" on windows -
Share is Gone
>>> >> 5) mkdir -p /server/share-files
>>> >> 6) chown root:"Domain Admins"
/server/share-files
>>> >> 7) chmod 0770 /server/share-files
>>> >> 8) getfacl /server/share-files
>>> >>     -> permissions match 0770
>>> >> 8) Restore (un-comment) share definition in smb.conf
>>> >>     -> [share-files]
>>> >>     ->     path = /server/share-files
>>> >>     ->     read only = no
>>> >> 9) smbcontrol all reload-config
>>> >> 10) restart smbd
>>> >
>>> > If you do '9', you don't need to do '10'
>>> 
>>> Expect both would achieve same.  Figured it wouldn't hurt.
>> 
>> Well yes, it doesn't hurt, you just don't need to do both ;-)
>> 
>>> 
>>> >
>>> >> 11) Go into "Computer Management" on windows
& get to
>>> >>      "Shares" on machine253
>>> >>
>>> >> Here is what I find odd.  The "Share
permissions" tab lists
>>> >> one of the groups I previously defined.  It is not a
windows
>>> >> "built-in" group.  I created it using samba-tool
on the AD.
>>> >
>>> > Ignore the 'shares' tab, just use the
'security' tab, for which a
>>> > better name would be 'NTFS permissions'
>>> >
>>> >>
>>> >> If I removed the share and then recreated it, I would
expect
>>> >> a 'default' listing of groups.  Instead I seem to
be getting a
>>> >> previous "historical" group listing if I reuse
the same
>>> >> share names or directory names.
>>> >>
>>> >> Two more things:
>>> >>
>>> >> After all of this clicking and changing, I do not get the
>>> >> '+' on the directory permissions.  It still reads
as a
>>> >> basic 0770.  It seems having this in the share is critical
>>> >> to normal behavior.  At least once that appeared on my
>>> >> other server - those shares started exhibiting normal
>>> >> behavior.
>>> >>
>>> >> Second, I've discovered that if I add the
"Everyone" group
>>> >> to the "Share Permissions" then suddenly I can
modify
>>> >> the Security tab.  If I remove the "Everyone
group" then
>>> >> it eventually reverts to giving me the following error:
>>> >
>>> > As I said above, ignore the 'Share' tab, leave
'Everyone' there.
>>> > I go now to update the wiki page (again).
>> 
>> I have updated the wiki page.
>> 
>>> 
>>> Just discovered that although I can access "Security" (ie
NTFS
>>> Permissions)
>>> I get "Failed to enumerate objects in the containet. Access is
>>> denied"
>>> when I attempt to apply the changes.
>>> 
>> 
>> If you followed document I sent you, it should work, but it looks like
>> you are not following it fully, I never mentioned the 'Share
>> Permissions' tab.
> 
> The "Share Permissions" was on the wiki.
> 
> With respect to your document, I'm following it to the letter.
> Can't see anything I missed:
> 
> root at sce253:/# service smbd stop
> root at sce253:/# rmdir /server/share-files
> root at sce253:/# rmdir /server/users
> root at sce253:/# cd ..
> root at sce253:/# rmdir server
> root at sce253:/# mkdir -p /server/share-files
> root at sce253:/# mkdir -p /server/users
> root at sce253:/# chown root:"Domain Admins" /server/share-files
> root at sce253:/# chown root:"Domain Admins" /server/users
> root at sce253:/# chmod 0770 /server/share-files
> root at sce253:/# chmod 0770 /server/users
> root at sce253:/# ls -l /server
> total 8
> drwxrwx--- 2 root domain admins 4096 Feb 21 12:00 share-files
> drwxrwx--- 2 root domain admins 4096 Feb 21 12:00 users
> root at sce253:/# getfacl /server/share-files
> getfacl: Removing leading '/' from absolute path names
> # file: server/share-files
> # owner: root
> # group: domain\040admins
> user::rwx
> group::rwx
> other::---
> 
> root at sce253:/# getfacl /server/users
> getfacl: Removing leading '/' from absolute path names
> # file: server/users
> # owner: root
> # group: domain\040admins
> user::rwx
> group::rwx
> other::---
> 
> root at sce253:/# service smbd start
> 
> ** Computer Management -> Connect to other computer
> ** Click thru connection warning
> ** Open Shared Folders
> ** right click "shared-files" & select properties
> ** Select Security Tab
> ** Hit 'ADD' and find and add 'programs' group. (Completes)
> ** Grant Full Control
> ** Hit OK
> ** Click "Yes" to remotely reset permissions
> 
> ******* FAILED TO ENUMERATE OBJECTS IN CONTAINER. ACCESS IS DENIED
> 
> Can't see where I could be deviating
Tried to set the acl's manually.  So I get this:

root at sce253:/# getfacl /server/users
getfacl: Removing leading '/' from absolute path names
# file: server/users
# owner: root
# group: domain\040admins
user::rwx
user:root:rwx
group::rwx
group:domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:domain\040admins:r-x
default:mask::rwx
default:other::---

Go thru Computer Management -> Still access denied.

> ******* FAILED TO ENUMERATE OBJECTS IN CONTAINER. ACCESS IS DENIED
> 
> Can't see where I could be deviating
Ok i think here ( as workaround ) the following. 

> root at sce253:/# service smbd stop
> root at sce253:/# rmdir /server/share-files
> root at sce253:/# rmdir /server/users
> root at sce253:/# cd ..
> root at sce253:/# rmdir server
> root at sce253:/# mkdir -p /server/share-files
> root at sce253:/# mkdir -p /server/users
Install -d /server -o root -g "Domain Admins" -m 3771
> root at sce253:/# chown root:"Domain Admins" /server/share-files
> root at sce253:/# chown root:"Domain Admins" /server/users
> root at sce253:/# chmod 0770 /server/share-files
> root at sce253:/# chmod 0770 /server/users
Now try again. 

The message: 
> 
> ******* FAILED TO ENUMERATE OBJECTS IN CONTAINER. ACCESS IS DENIED 
Purly due to /server not allowing "DOMAIN USER" write access. 
Because ... What is the windows "Primary group" yes. Domain Users. 

So I thing also you might be affected with bug :  
https://bugzilla.samba.org/show_bug.cgi?id=13371 
https://bugzilla.samba.org/show_bug.cgi?id=11362

install -d /server -o root -g "Domain Admins" -m 3771 
Should help here as workaround. 

3 for the "domain admins" to enfoce this group and not domain users. 
7 for root/Administrator
7 for the "domain admins"
1 to allow access through this folder for everybody. 

Should work. 


Greetz, 

Louis

On Fri, 22 Feb 2019 09:52:36 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> > ******* FAILED TO ENUMERATE OBJECTS IN CONTAINER. ACCESS IS DENIED
> > 
> > Can't see where I could be deviating
> Ok i think here ( as workaround ) the following. 
> 
> 
> > root at sce253:/# service smbd stop
> > root at sce253:/# rmdir /server/share-files
> > root at sce253:/# rmdir /server/users
> > root at sce253:/# cd ..
> > root at sce253:/# rmdir server
> > root at sce253:/# mkdir -p /server/share-files
> > root at sce253:/# mkdir -p /server/users
> 
> Install -d /server -o root -g "Domain Admins" -m 3771
> 
> > root at sce253:/# chown root:"Domain Admins"
/server/share-files
> > root at sce253:/# chown root:"Domain Admins" /server/users
> > root at sce253:/# chmod 0770 /server/share-files
> > root at sce253:/# chmod 0770 /server/users
> 
> Now try again. 
> 
> The message: 
> > 
> > ******* FAILED TO ENUMERATE OBJECTS IN CONTAINER. ACCESS IS DENIED 
> Purly due to /server not allowing "DOMAIN USER" write access. 
> Because ... What is the windows "Primary group" yes. Domain
Users.
> 
> So I thing also you might be affected with bug :  
> https://bugzilla.samba.org/show_bug.cgi?id=13371 
As I have already said, it depends on your perspective if bug 13371 is
actually a bug ;-)

If you use 'unix_primary_group = yes' and a user logs into a Unix
machine, they will get the Unix primary group instead of Domain Admins.
If the same user logs into a Windows machine, they will get Domain
Users as their primary group.

If the same user connects over the network (either from a Unix or
Windows machine) their primary group will be Domain Users, how can it
be otherwise, Samba is trying to emulate how Windows works, so it
doesn't care whether it is a Windows or a Unix machine. Because of
this, it has to work in the same way as a Windows machine expects.

My feelings are:
If you have only Unix clients, use 'unix_primary_group = yes' if you
wish. If you only have Windows clients, or a mixture of Unix & Windows
clients, don't.

Rowland

---
Marco J. Shmerykowsky, P.E.
marco at sce-engineers.com

--------------------------------------------
     Shmerykowsky Consulting Engineers
        Structural Analysis & Design
      102 West 38th Street, 2nd Floor
         New York, New York 10018
   Tel. (212)719-9700 Fax. (212)719-4822
        http://www.sce-engineers.com
--------------------------------------------

On 2019-02-22 3:52 am, L.P.H. van Belle via samba wrote:
>> ******* FAILED TO ENUMERATE OBJECTS IN CONTAINER. ACCESS IS DENIED
>> 
>> Can't see where I could be deviating
> Ok i think here ( as workaround ) the following.
> 
> 
>> root at sce253:/# service smbd stop
>> root at sce253:/# rmdir /server/share-files
>> root at sce253:/# rmdir /server/users
>> root at sce253:/# cd ..
>> root at sce253:/# rmdir server
>> root at sce253:/# mkdir -p /server/share-files
>> root at sce253:/# mkdir -p /server/users
> 
> Install -d /server -o root -g "Domain Admins" -m 3771
> 
>> root at sce253:/# chown root:"Domain Admins"
/server/share-files
>> root at sce253:/# chown root:"Domain Admins" /server/users
>> root at sce253:/# chmod 0770 /server/share-files
>> root at sce253:/# chmod 0770 /server/users
> 
> Now try again.
> 
> The message:
>> 
>> ******* FAILED TO ENUMERATE OBJECTS IN CONTAINER. ACCESS IS DENIED
> Purly due to /server not allowing "DOMAIN USER" write access.
> Because ... What is the windows "Primary group" yes. Domain
Users.
> 
> So I thing also you might be affected with bug :
> https://bugzilla.samba.org/show_bug.cgi?id=13371
> https://bugzilla.samba.org/show_bug.cgi?id=11362
> 
> install -d /server -o root -g "Domain Admins" -m 3771
> Should help here as workaround.
> 
> 3 for the "domain admins" to enfoce this group and not domain
users.
> 7 for root/Administrator
> 7 for the "domain admins"
> 1 to allow access through this folder for everybody.
> 
> Should work.
NOPE.

Blowing away this server and starting from scratch.

I must have done something stupid along the way which has
locked the behavior in.  It's definitely a permissions thing
that got set somehow at some point which won't let go.

Hope fully a clean install following all the instructions
that came up to this point will result in success.

My other server is working (somehow) and I'm scared to touch that
one at this point.  However, it does seem that there is something
floating in the samba/windows interaction that can be triggered
by incorrect configuration steps.

-------- Original Message --------
Subject: Re: [Samba] Computer Management - Share Security - No Read 
Access
Date: 2019-02-22 10:30 am
 From: Marco Shmerykowsky <marco at sce-engineers.com>
To: "L.P.H. van Belle" <belle at bazuin.nl>
> Ok, debian?
>
https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-3.1-samba-member-debian-install.txt
>
https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-3.2-samba-member-fileserver.txt
> Have a look at it, it might give you some ideas, this is how i install
> my servers.
> 
> I needs a bit of updating, but in general its still ok.
> Just keep an eye on the smb.conf and its contents that might need a
> bit updateing.
> And use :  apt-get install samba winbind acl attr libnss-winbind
> libpam-winbind \
>  ntp krb5-user bind9utils ldb-tools smbclient -y
Two things that I notice which differ from the information on
see on the wiki to date:

1) Your install routine mentions 'acl'

    Yes the wiki mentions make sure its installed and I thought
    I had checked this, but shouldn't it be listed on the wiki?

2) The wiki old mentioned SeDiskOperatorPivilege

    The member-fileserver document seems to set a number
    of items.  Is this belt and suspenders or do all this
    things need to be set explicitly?

On Fri, 22 Feb 2019 10:45:38 -0500
Marco Shmerykowsky via samba <samba at lists.samba.org> wrote:
> -------- Original Message --------
> Subject: Re: [Samba] Computer Management - Share Security - No Read 
> Access
> Date: 2019-02-22 10:30 am
>  From: Marco Shmerykowsky <marco at sce-engineers.com>
> To: "L.P.H. van Belle" <belle at bazuin.nl>
> 
> > Ok, debian?
> >
https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-3.1-samba-member-debian-install.txt
> >
https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-3.2-samba-member-fileserver.txt
> > Have a look at it, it might give you some ideas, this is how i
> > install my servers.
> > 
> > I needs a bit of updating, but in general its still ok.
> > Just keep an eye on the smb.conf and its contents that might need a
> > bit updateing.
> > And use :  apt-get install samba winbind acl attr libnss-winbind
> > libpam-winbind \
> >  ntp krb5-user bind9utils ldb-tools smbclient -y
> 
> Two things that I notice which differ from the information on
> see on the wiki to date:
> 
> 1) Your install routine mentions 'acl'
> 
>     Yes the wiki mentions make sure its installed and I thought
>     I had checked this, but shouldn't it be listed on the wiki?
This is a 'belt and braces approach'. it is normally installed by
default on Debian based distros.
> 
> 2) The wiki old mentioned SeDiskOperatorPivilege
> 
>     The member-fileserver document seems to set a number
>     of items.  Is this belt and suspenders or do all this
>     things need to be set explicitly?
Certain things need to be in place before you can set the permissions
from Windows, the wiki page shows these steps. The only step I didn't
state in the document I sent you is (and I Apologise for this), you
must log into Windows as either 'DOMAIN\Administrator' or as
'DOMAIN\username' where 'username' is a user that is a member of
Domain Admins. 

Rowland